We announced IronBee, our next-generation web application
firewall engine, exactly one year ago at the RSA Conference in San Francisco. Although we had expected
to have a fully working product by now, it did not happen. In this post I will explain why.
This time last year, we had a core of the product built on top of LibHTP, our security-aware HTTP parsing library. We had also put the project infrastructure out in the public,
on GitHub and SourceForge. The initial public release was 0.2, and the state of the project was pretty much what
you would expect (except for LibHTP, which had been worked on earlier and was pretty decent). The goal of the early
announcement was to get the word out and hopefully get interested parties to join us. It didn't work.
The feedback was overwhelmingly positive and many were genuinely interested in working on IronBee, but, at the
end of the day, no one followed through.
The lack of contributors did not stall our project. What did stall it was the fact that our entire development
team was busy with other projects, and our inability to hire a full-time developer for
IronBee. It was not until November that we had hired Nicholas LeRoy to fill the developer role, and
that's when the development started to pick up. We were also able to free additional resources for work
The official reboot happened internally about a month ago, but we are making it public now. This
year's RSA Conference is next week, and we're aware that people will be asking questions about our
progress. If it weren't for that, we would probably keep quiet for another month or so, until we had more
In the following weeks, we will start to make regular releases, improve the documentation, and start to write here about our progress
and, especially, the new interesting features we have in IronBee. Finally, we will start to track our progress
on the development roadmap.